Spoiler los ntawm lub npe ntawm tsab ntawv ceeb toom: "Siv lub zog authentication nce vim muaj kev hem thawj ntawm kev pheej hmoo tshiab thiab cov kev cai tswj hwm."
Lub tuam txhab tshawb fawb "Javelin Strategy & Kev Tshawb Fawb" tau tshaj tawm tsab ntawv tshaj tawm "Lub Xeev ntawm Kev Ua Haujlwm Zoo Tshaj Plaws 2019" (). Daim ntawv tshaj tawm no hais tias: pes tsawg feem pua ntawm cov tuam txhab Asmeskas thiab European siv cov passwords (thiab vim li cas qee tus neeg siv passwords tam sim no); vim li cas kev siv ob qhov kev lees paub tseeb raws li cryptographic tokens tau loj hlob sai heev; Vim li cas ib zaug cov lej xa los ntawm SMS tsis ruaj ntseg.
Txhua tus xav paub txog tam sim no, yav dhau los, thiab yav tom ntej ntawm kev lees paub hauv kev lag luam thiab cov neeg siv khoom siv tau txais tos.
Los ntawm tus txhais lus
Alas, hom lus uas sau ntawv no yog "qhuav" thiab raug cai. Thiab tsib zaug siv lo lus "kev lees paub" hauv ib kab lus luv luv tsis yog txhais tes (los yog lub hlwb) ntawm tus neeg txhais lus, tab sis lub siab nyiam ntawm cov neeg sau ntawv. Thaum txhais los ntawm ob txoj kev xaiv - muab cov ntawv nyeem kom ze rau tus thawj, lossis ib qho nthuav dua, qee zaum kuv xaiv thawj, thiab qee zaum thib ob. Tab sis ua siab ntev, nyob zoo cov neeg nyeem, cov ntsiab lus ntawm tsab ntawv ceeb toom yog tsim nyog.
Qee qhov tsis tseem ceeb thiab tsis tsim nyog rau zaj dab neeg raug tshem tawm, txwv tsis pub feem ntau yuav tsis tuaj yeem nkag mus rau tag nrho cov ntawv nyeem. Cov neeg uas xav nyeem tsab ntawv ceeb toom "tsis raug" tuaj yeem ua tau ua cov lus qub los ntawm kev ua raws li qhov txuas.
Hmoov tsis zoo, cov neeg sau ntawv tsis tas yuav ceev faj nrog cov lus siv. Yog li, ib zaug passwords (One Time Password - OTP) qee zaum hu ua "passwords", thiab qee zaum "codes". Nws tseem phem dua nrog cov txheej txheem authentication. Nws tsis yog ib txwm yooj yim rau cov neeg nyeem tsis tau kawm los kwv yees tias "kev lees paub siv cov yuam sij cryptographic" thiab "kev lees paub muaj zog" yog tib yam. Kuv sim sib sau ua ke cov ntsiab lus kom ntau li ntau tau, thiab hauv daim ntawv tshaj tawm nws tus kheej muaj ib feem nrog lawv cov lus piav qhia.
Txawm li cas los xij, tsab ntawv ceeb toom tau pom zoo nyeem vim nws muaj cov txiaj ntsig kev tshawb fawb tshwj xeeb thiab cov lus xaus raug raug.
Tag nrho cov nuj nqis thiab qhov tseeb tau nthuav tawm yam tsis muaj qhov hloov pauv me ntsis, thiab yog tias koj tsis pom zoo nrog lawv, ces nws yog qhov zoo dua los sib cav tsis yog nrog tus txhais lus, tab sis nrog cov neeg sau ntawv tshaj tawm. Thiab ntawm no yog kuv cov lus (piv txwv li cov lus hais, thiab cim rau hauv cov ntawv nyeem Italian) yog kuv tus nqi txiav txim siab thiab kuv yuav zoo siab los sib cav ntawm lawv txhua tus (nrog rau qhov zoo ntawm kev txhais lus).
txheej txheem cej luam
Niaj hnub no, cov kev sib txuas lus digital ntawm kev sib txuas lus nrog cov neeg siv khoom tseem ceeb dua puas tau rau cov lag luam. Thiab nyob rau hauv lub tuam txhab, kev sib txuas lus ntawm cov neeg ua hauj lwm yog ntau digitally oriented dua puas tau ua ntej. Thiab kev nyab xeeb npaum li cas cov kev sib cuam tshuam no yuav nyob ntawm txoj kev xaiv ntawm tus neeg siv kev lees paub. Attackers siv tsis muaj zog authentication rau loj heev hack neeg siv nyiaj. Hauv kev teb, cov neeg tswj hwm tau nruj cov qauv kom yuam cov lag luam kom zoo dua tiv thaiv cov neeg siv nyiaj thiab cov ntaub ntawv.
Authentication-hais txog kev hem thawj nthuav dav tshaj li cov neeg siv khoom siv; cov neeg tawm tsam tuaj yeem nkag mus rau cov ntawv thov khiav hauv kev lag luam. Qhov kev ua haujlwm no tso cai rau lawv los ua tus neeg siv khoom ntiag tug. Cov neeg tawm tsam uas siv cov ntsiab lus nkag nrog kev lees paub tsis muaj zog tuaj yeem nyiag cov ntaub ntawv thiab ua lwm yam kev dag ntxias. Hmoov zoo, muaj kev ntsuas los tawm tsam qhov no. Kev lees paub muaj zog yuav pab txo qis kev pheej hmoo ntawm kev tawm tsam los ntawm tus neeg tawm tsam, ob qho tib si ntawm cov neeg siv khoom siv thiab hauv kev lag luam kev lag luam.
Txoj kev tshawb no tshuaj xyuas: yuav ua li cas cov tuam txhab lag luam siv kev lees paub los tiv thaiv cov neeg siv khoom kawg thiab kev lag luam kev lag luam; yam uas lawv xav txog thaum xaiv qhov kev daws teeb meem authentication; lub luag hauj lwm uas muaj zog authentication plays nyob rau hauv lawv cov koom haum; cov txiaj ntsig ntawm cov koom haum no tau txais.
Txoj kev xaus
Cov ntsiab lus tseem ceeb
Txij li xyoo 2017, kev siv cov ntawv pov thawj muaj zog tau nce zuj zus. Nrog rau tus naj npawb ntawm qhov tsis zoo cuam tshuam rau cov kev daws teeb meem kev lees paub ib txwm muaj, cov koom haum tau ntxiv dag zog rau lawv qhov kev lees paub muaj peev xwm nrog kev lees paub muaj zog. Tus naj npawb ntawm cov koom haum siv cryptographic multi-factor authentication (MFA) tau nce peb npaug txij li xyoo 2017 rau cov neeg siv khoom siv thiab nce li ntawm 50% rau kev lag luam kev siv. Kev loj hlob sai tshaj plaws yog pom nyob rau hauv mobile authentication vim muaj ntau ntxiv ntawm biometric authentication.
Ntawm no peb pom ib qho piv txwv ntawm cov lus hais tias "txog thaum xob quaj, ib tug txiv neej yuav tsis hla nws tus kheej." Thaum cov kws tshaj lij tau ceeb toom txog qhov tsis muaj kev ruaj ntseg ntawm tus password, tsis muaj leej twg maj nrawm los siv ob qhov kev lees paub tseeb. Thaum hackers pib nyiag passwords, tib neeg pib siv ob-factor authentication.
Muaj tseeb, cov tib neeg tau siv ntau dua 2FA. Ua ntej, nws yooj yim dua rau lawv kom ua rau lawv ntxhov siab los ntawm kev cia siab rau biometric authentication ua rau hauv smartphones, uas yog qhov tseeb heev tsis ntseeg. Cov koom haum yuav tsum tau siv nyiaj ntawm kev yuav khoom tokens thiab ua haujlwm (qhov tseeb, yooj yim heev) los siv lawv. Thiab qhov thib ob, tsuas yog cov neeg tub nkeeg tsis tau sau txog lo lus zais los ntawm cov kev pabcuam xws li Facebook thiab Dropbox, tab sis tsis muaj qhov xwm txheej yuav CIOs ntawm cov koom haum no qhia cov dab neeg txog yuav ua li cas tus password raug nyiag (thiab muaj dab tsi tshwm sim tom ntej) hauv cov koom haum.
Cov neeg uas tsis siv cov ntawv pov thawj muaj zog yog underestimating lawv cov kev pheej hmoo rau lawv cov lag luam thiab cov neeg muas zaub. Qee lub koom haum uas tam sim no tsis siv qhov kev lees paub muaj zog zoo li saib cov ntawv nkag thiab lo lus zais yog ib txoj hauv kev zoo tshaj plaws thiab siv tau yooj yim ntawm cov neeg siv kev lees paub. Lwm tus tsis pom tus nqi ntawm cov cuab tam digital uas lawv muaj. Tom qab tag nrho, nws tsim nyog xav tias cybercriminals txaus siab rau txhua tus neeg siv khoom thiab cov ntaub ntawv lag luam. Ob feem peb ntawm cov tuam txhab uas siv cov passwords nkaus xwb los txheeb xyuas lawv cov neeg ua haujlwm vim lawv ntseeg tias cov passwords zoo txaus rau hom ntaub ntawv lawv tiv thaiv.
Txawm li cas los xij, tus password yog nyob ntawm lawv txoj kev mus rau qhov ntxa. Kev cia siab rau lo lus zais tau poob qis ntau xyoo dhau los rau cov neeg siv khoom thiab cov ntawv thov kev lag luam (los ntawm 44% mus rau 31%, thiab los ntawm 56% mus rau 47%, feem) raws li cov koom haum nce lawv kev siv MFA ib txwm muaj thiab muaj kev lees paub zoo.
Tab sis yog tias peb saib qhov xwm txheej tag nrho, cov txheej txheem kev lees paub qhov tseeb tseem muaj yeej. Rau kev lees paub tus neeg siv, kwv yees li ib feem peb ntawm cov koom haum siv SMS OTP (ib zaug lo lus zais) nrog rau cov lus nug txog kev nyab xeeb. Yog li ntawd, kev ntsuas kev ruaj ntseg ntxiv yuav tsum tau ua los tiv thaiv qhov tsis zoo, uas ua rau cov nqi nce ntxiv. Kev siv cov txheej txheem kev lees paub tseeb ntau dua, xws li kho vajtse cryptographic yuam sij, yog siv tsawg dua, kwv yees li 5% ntawm cov koom haum.
Kev hloov pauv kev tswj hwm ib puag ncig cog lus tias yuav ua kom muaj kev lees paub muaj zog rau cov neeg siv khoom siv. Nrog rau kev qhia txog PSD2, nrog rau cov cai tshiab tiv thaiv cov ntaub ntawv hauv EU thiab ntau lub xeev Asmeskas xws li California, cov tuam txhab muaj kev kub ntxhov. Ze li ntawm 70% ntawm cov tuam txhab pom zoo tias lawv ntsib txoj cai tswj hwm kom muaj kev lees paub muaj zog rau lawv cov neeg siv khoom. Ntau tshaj li ib nrab ntawm cov tuam txhab ntseeg hais tias nyob rau hauv ob peb xyoos lawv txoj kev authentication yuav tsis txaus kom tau raws li cov qauv kev cai.
Qhov sib txawv ntawm txoj hauv kev ntawm Lavxias thiab Asmeskas-European cov neeg tsim cai lij choj rau kev tiv thaiv tus kheej cov ntaub ntawv ntawm cov neeg siv cov kev pabcuam thiab cov kev pabcuam tau pom meej meej. Cov neeg Lavxias hais tias: Nyob zoo cov tswv kev pabcuam, ua qhov koj xav tau thiab koj xav tau li cas, tab sis yog tias koj tus thawj tswj hwm koom nrog cov ntaub ntawv, peb yuav rau txim rau koj. Lawv hais tias txawv teb chaws: koj yuav tsum siv cov txheej txheem ntsuas uas yuav tsis tso cai ntws lub hauv paus. Yog vim li cas qhov yuav tsum tau ua kom nruj ob qhov kev lees paub tseeb tau raug coj los siv rau ntawd.
Muaj tseeb, nws nyob deb ntawm qhov tseeb tias peb lub tshuab tsim cai yuav muaj ib hnub tsis tuaj yeem nkag siab thiab coj mus rau hauv tus account Western kev paub. Tom qab ntawd nws hloov tawm tias txhua tus yuav tsum tau ua raws li 2FA, uas ua raws li Lavxias teb sab cryptographic qauv, thiab ceev ceev.
Tsim kom muaj lub hauv paus kev lees paub muaj zog tso cai rau cov tuam txhab hloov pauv lawv lub hom phiaj los ntawm kev ua raws li kev cai tswj hwm kom ua tau raws li cov neeg siv khoom xav tau. Rau cov koom haum uas tseem siv cov passwords yooj yim lossis tau txais cov lej ntawm SMS, qhov tseem ceeb tshaj plaws thaum xaiv txoj kev lees paub yuav ua raws li cov cai tswj hwm. Tab sis cov tuam txhab uas twb tau siv cov ntawv pov thawj muaj zog tuaj yeem tsom mus rau kev xaiv cov txheej txheem kev lees paub uas ua rau cov neeg siv khoom muaj kev ntseeg siab.
Thaum xaiv ib txoj hauv kev txheeb xyuas tus kheej hauv kev lag luam, cov kev cai tswj hwm tsis yog qhov tseem ceeb ntxiv lawm. Hauv qhov no, qhov yooj yim ntawm kev sib koom ua ke (32%) thiab tus nqi (26%) yog qhov tseem ceeb dua.
Nyob rau hauv lub era ntawm phishing, cov neeg tawm tsam tuaj yeem siv cov tuam txhab email rau kev dag ntxias kev dag ntxias kom nkag mus rau cov ntaub ntawv, cov nyiaj (nrog cov cai nkag tau tsim nyog), thiab txawm hais kom cov neeg ua haujlwm hloov nyiaj mus rau nws tus account. Yog li ntawd, tuam txhab email thiab portal accounts yuav tsum muaj kev tiv thaiv tshwj xeeb.
Google tau ntxiv dag zog rau nws txoj kev nyab xeeb los ntawm kev siv cov ntawv pov thawj muaj zog. Ntau tshaj li ob xyoos dhau los, Google tau tshaj tawm tsab ntawv tshaj tawm txog kev siv ob qhov kev lees paub tseeb raws li cov yuam sij cryptographic ruaj ntseg siv FIDO U2F tus qauv, qhia txog cov txiaj ntsig zoo. Raws li lub tuam txhab, tsis yog ib qho kev tawm tsam phishing tau tawm tsam ntau dua 85 tus neeg ua haujlwm.
tswv yim pom zoo
Ua kom muaj kev lees paub zoo rau cov ntawv thov mobile thiab online. Multi-factor authentication raws li cov yuam sij cryptographic muab kev tiv thaiv zoo dua tiv thaiv kev nyiag nkas dua li MFA txoj hauv kev. Tsis tas li ntawd, kev siv cov yuam sij cryptographic yog qhov yooj yim dua vim tias tsis tas yuav siv thiab hloov cov ntaub ntawv ntxiv - passwords, passwords ib zaug lossis cov ntaub ntawv biometric los ntawm tus neeg siv lub cuab yeej mus rau qhov tseeb server. Tsis tas li ntawd, cov txheej txheem kev lees paub qhov tseeb ua rau nws yooj yim dua rau kev siv cov txheej txheem kev lees paub tshiab raws li lawv tau muaj, txo cov nqi siv thiab tiv thaiv cov txheej txheem kev dag ntxias ntau dua.
Npaj rau kev tuag ntawm ib zaug passwords (OTP). Cov qhov tsis zoo uas muaj nyob hauv OTPs tau dhau los ua qhov pom tseeb dua li cov neeg ua phem hauv cybercriminals siv social engineering, smartphone cloning thiab malware los cuam tshuam cov kev ua pov thawj no. Thiab yog tias OTPs hauv qee kis muaj qee qhov zoo, ces tsuas yog los ntawm qhov pom ntawm kev muaj thoob ntiaj teb rau txhua tus neeg siv, tab sis tsis yog los ntawm qhov pom ntawm kev ruaj ntseg.
Nws tsis yooj yim sua kom tsis txhob hnov qab tias tau txais cov lej ntawm SMS lossis Push cov ntawv ceeb toom, nrog rau kev tsim cov lej siv cov kev pab cuam rau cov xov tooj smartphones, yog kev siv tib lo lus zais ib zaug (OTP) uas peb tau hais kom npaj rau qhov poob. Los ntawm kev pom kev, kev daws teeb meem yog qhov tseeb heev, vim tias nws yog ib tus neeg dag dag uas tsis tshua muaj kev sim nrhiav tus password ib zaug los ntawm tus neeg siv tsis txaus ntseeg. Tab sis kuv xav tias cov neeg tsim khoom ntawm cov tshuab zoo li no yuav cling rau kev tuag thev naus laus zis mus rau qhov kawg.
Siv cov ntawv pov thawj muaj zog raws li cov cuab yeej ua lag luam kom muaj kev ntseeg siab rau cov neeg siv khoom. Kev lees paub muaj zog tuaj yeem ua tau ntau dua li tsuas yog txhim kho kev ruaj ntseg ntawm koj lub lag luam. Qhia rau cov neeg siv khoom tias koj lub lag luam siv qhov kev lees paub muaj zog tuaj yeem ntxiv dag zog rau pej xeem kev nkag siab ntawm kev ruaj ntseg ntawm lub lag luam - qhov tseem ceeb tshaj plaws thaum muaj cov neeg siv khoom xav tau rau cov txheej txheem kev lees paub muaj zog.
Ua kom tiav cov khoom muag thiab kev ntsuam xyuas qhov tseem ceeb ntawm cov ntaub ntawv lag luam thiab tiv thaiv nws raws li qhov tseem ceeb. Txawm tias cov ntaub ntawv pheej hmoo tsawg xws li cov ntaub ntawv tiv tauj cov neeg siv khoom (tsis yog, tiag tiag, tsab ntawv ceeb toom hais tias "kev pheej hmoo tsawg", nws yog qhov txawv heev uas lawv tsis pom qhov tseem ceeb ntawm cov ntaub ntawv no), tuaj yeem coj tus nqi tseem ceeb rau cov neeg dag ntxias thiab ua teeb meem rau lub tuam txhab.
Siv cov ntaub ntawv pov thawj kev lag luam muaj zog. Ib tug xov tooj ntawm cov kab ke yog lub hom phiaj txaus nyiam tshaj plaws rau cov neeg phem. Cov no suav nrog cov kev sib txuas hauv Internet thiab hauv Internet xws li kev pabcuam nyiaj txiag lossis cov tuam txhab cov ntaub ntawv khaws cia. Kev lees paub muaj zog tiv thaiv cov neeg tawm tsam los ntawm kev nkag mus tsis tau tso cai, thiab tseem ua rau nws muaj peev xwm txiav txim siab seb tus neeg ua haujlwm twg tau ua phem rau kev ua phem.
Strong Authentication yog dab tsi?
Thaum siv cov authentication muaj zog, ntau txoj hauv kev los yog ntau yam yog siv los txheeb xyuas tus neeg siv qhov tseeb:
- Kev paub zoo: qhia zais zais ntawm tus neeg siv thiab tus neeg siv cov ntaub ntawv pov thawj (xws li lo lus zais, cov lus teb rau cov lus nug kev nyab xeeb, thiab lwm yam)
- Cov tswv cuab yam: ib qho khoom siv uas tsuas yog tus neeg siv muaj (piv txwv li, lub xov tooj ntawm tes, tus yuam sij cryptographic, thiab lwm yam)
- Qhov tseem ceeb ntawm kev ncaj ncees: lub cev (feem ntau biometric) cov yam ntxwv ntawm tus neeg siv (piv txwv li, ntiv tes, iris qauv, lub suab, tus cwj pwm, thiab lwm yam)
Qhov xav tau rau hack ntau yam zoo heev ua rau muaj qhov ua tsis tiav rau cov neeg tawm tsam, txij li kev hla lossis kev dag ntau yam yuav tsum tau siv ntau hom kev nyiag nkas, rau txhua qhov sib cais.
Piv txwv li, nrog 2FA "password + smartphone," tus neeg tawm tsam tuaj yeem ua pov thawj los ntawm kev saib tus neeg siv tus password thiab ua ib qho software tiag tiag ntawm nws lub smartphone. Thiab qhov no yog qhov nyuaj dua li tsuas yog nyiag tus password.
Tab sis yog hais tias tus password thiab ib tug cryptographic token siv rau 2FA, ces qhov kev luam ntawv tsis ua hauj lwm ntawm no - nws yog tsis yooj yim sua kom duplicate lub token. Tus neeg dag ntxias yuav tsum tau nyiag lub token los ntawm tus neeg siv. Yog tias tus neeg siv pom qhov poob hauv lub sijhawm thiab ceeb toom rau tus thawj tswj hwm, lub token yuav raug thaiv thiab tus neeg dag dag dag zog yuav tsis muaj txiaj ntsig. Qhov no yog vim li cas cov tswv cuab tseem ceeb yuav tsum tau siv cov cuab yeej tshwj xeeb ruaj ntseg (tokens) es tsis yog cov khoom siv dav dav (smartphones).
Kev siv tag nrho peb yam yuav ua rau qhov kev lees paub tseeb no kim heev rau kev siv thiab tsis yooj yim rau siv. Yog li ntawd, ob ntawm peb yam feem ntau yog siv.
Cov hauv paus ntsiab lus ntawm ob-factor authentication tau piav qhia ntau ntxiv , nyob rau hauv "Yuav ua li cas two-factor authentication ua hauj lwm" thaiv.
Nws yog ib qho tseem ceeb uas yuav tsum nco ntsoov tias tsawg kawg yog ib qho ntawm qhov kev lees paub tseeb uas siv rau hauv kev muaj kev lees paub muaj zog yuav tsum siv cov ntaub ntawv tseem ceeb rau pej xeem.
Kev lees paub muaj zog muaj kev tiv thaiv ntau dua li kev lees paub ib leeg raws li cov passwords classic thiab ib txwm siv MFA. Cov passwords tuaj yeem raug spied ntawm lossis cuam tshuam siv keyloggers, phishing chaw, lossis kev tawm tsam kev sib raug zoo (qhov twg tus neeg raug dag ntxias kom nthuav tawm lawv tus password). Ntxiv mus, tus tswv ntawm tus password yuav tsis paub dab tsi txog kev nyiag. Ib txwm MFA (xws li OTP cov lej, khi rau lub xov tooj smartphone lossis SIM daim npav) kuj tuaj yeem raug nyiag tau yooj yim heev, vim nws tsis yog raws li pej xeem cov ntaub ntawv tseem ceeb (Los ntawm txoj kev, muaj ntau yam piv txwv thaum, siv tib lub social engineering txuj ci, scammers ntxias cov neeg siv muab lawv ib zaug ib lo lus zais.).
Hmoov zoo, kev siv cov ntawv pov thawj muaj zog thiab ib txwm siv MFA tau txais kev sib tw hauv ob qho tib si cov neeg siv khoom thiab kev lag luam txij li xyoo tas los. Kev siv cov ntawv pov thawj muaj zog hauv cov neeg siv khoom siv tau loj hlob sai heev. Yog tias xyoo 2017 tsuas yog 5% ntawm cov tuam txhab siv nws, ces xyoo 2018 nws twb tau peb zaug ntxiv - 16%. Qhov no tuaj yeem piav qhia los ntawm qhov muaj ntau ntxiv ntawm tokens uas txhawb nqa Public Key Cryptography (PKC) algorithms. Tsis tas li ntawd, nce siab los ntawm European regulators tom qab tau txais cov ntaub ntawv tshiab tiv thaiv cov cai xws li PSD2 thiab GDPR tau muaj txiaj ntsig zoo txawm tias nyob sab Europe (suav nrog hauv Russia).
Cia peb saib ze rau ntawm cov lej no. Raws li peb tuaj yeem pom, feem pua ntawm cov neeg ntiag tug uas siv ntau qhov kev lees paub tseeb tau nce los ntawm 11% hauv lub xyoo. Thiab qhov no kom meej meej tshwm sim ntawm tus nqi ntawm tus password lovers, txij li cov naj npawb ntawm cov neeg ntseeg hauv kev ruaj ntseg ntawm Push ceeb toom, SMS thiab biometrics tsis tau hloov.
Tab sis nrog ob-factor authentication rau kev siv lag luam, yam tsis zoo. Ua ntej, raws li tsab ntawv ceeb toom, tsuas yog 5% ntawm cov neeg ua haujlwm raug xa mus los ntawm kev lees paub tus password rau tokens. Thiab qhov thib ob, tus naj npawb ntawm cov neeg siv lwm txoj kev xaiv MFA hauv kev lag luam ib puag ncig tau nce 4%.
Kuv yuav sim ua si kws tshuaj ntsuam thiab muab kuv txhais lus. Hauv nruab nrab ntawm lub ntiaj teb digital ntawm cov neeg siv ib leeg yog lub smartphone. Yog li ntawd, nws tsis yog qhov xav tsis thoob tias feem coob siv lub peev xwm uas lub cuab yeej muab rau lawv - biometric authentication, SMS thiab Push cov ntawv ceeb toom, nrog rau cov passwords ib zaug tsim los ntawm cov ntawv thov ntawm lub smartphone nws tus kheej. Cov neeg feem ntau tsis xav txog kev nyab xeeb thiab kev ntseeg siab thaum siv cov cuab yeej uas lawv tau siv.
Qhov no yog vim li cas qhov feem pua ntawm cov neeg siv ntawm qhov tseem ceeb "tseem ceeb" authentication yam tseem tsis hloov. Tab sis cov neeg uas tau siv lo lus zais yav dhau los nkag siab tias lawv muaj kev pheej hmoo ntau npaum li cas, thiab thaum xaiv qhov kev lees paub tshiab, lawv xaiv qhov kev xaiv tshiab thiab nyab xeeb tshaj plaws - cryptographic token.
Raws li rau cov tuam txhab lag luam, nws yog ib qho tseem ceeb kom nkag siab txog qhov system authentication yog ua. Yog tias nkag mus rau Windows sau tau siv, ces cryptographic tokens raug siv. Cov muaj peev xwm siv lawv rau 2FA twb tau tsim rau hauv ob qho tib si Windows thiab Linux, tab sis lwm txoj kev xaiv tau ntev thiab nyuaj rau kev siv. Ntau heev rau kev tsiv teb tsaws ntawm 5% los ntawm passwords rau tokens.
Thiab qhov kev siv ntawm 2FA nyob rau hauv lub tuam txhab cov ntaub ntawv system ntau heev nyob ntawm tus tsim nyog tsim nyog. Thiab nws yog qhov yooj yim dua rau cov neeg tsim khoom los npaj cov qauv tsim los tsim cov passwords ib zaug dua kom nkag siab txog kev ua haujlwm ntawm cryptographic algorithms. Thiab yog li ntawd, txawm tias cov ntawv thov kev ruaj ntseg tseem ceeb heev xws li Single Sign-On lossis Privileged Access Management systems siv OTP ua qhov thib ob.
Muaj ntau qhov tsis zoo nyob rau hauv cov txheej txheem authentication
Txawm hais tias ntau lub koom haum tseem tso siab rau cov txheej txheem ib leeg-tseem ceeb, qhov tsis zoo hauv kev txheeb xyuas qhov tseeb ntau yam tau dhau los ua pom tseeb. Cov passwords ib zaug, feem ntau yog rau rau yim lub cim ntev, xa los ntawm SMS, tseem yog daim ntawv pov thawj feem ntau (dua li tus lej password, tau kawg). Thiab thaum cov lus "ob-factor authentication" lossis "ob-kauj ruam pov thawj" tau hais hauv xov xwm nrov, lawv yuav luag ib txwm xa mus rau SMS ib zaug password authentication.
Ntawm no tus sau yog me ntsis yuam kev. Kev xa tus password ib zaug dhau los ntawm SMS yeej tsis yog ob qho kev lees paub tseeb. Qhov no yog nyob rau hauv nws purest daim ntawv thib ob theem ntawm ob-kauj ruam authentication, qhov twg thawj theem yog nkag mus rau koj tus ID nkag mus thiab lo lus zais.
Xyoo 2016, National Institute of Standards and Technology (NIST) tau hloov kho nws cov cai pov thawj kom tshem tawm kev siv tus password ib zaug xa los ntawm SMS. Txawm li cas los xij, cov cai no tau txo qis heev tom qab kev lag luam tawm tsam.
Yog li, cia peb ua raws li cov lus qhia. Tus kws tswj xyuas Asmeskas tau lees paub tias cov cuab yeej siv niaj hnub no tsis muaj peev xwm ua kom cov neeg siv kev nyab xeeb thiab tab tom qhia cov qauv tshiab. Cov qauv tsim los tiv thaiv cov neeg siv online thiab cov ntawv thov mobile (nrog rau cov tuam txhab nyiaj txiag). Kev lag luam tab tom suav nyiaj ntau npaum li cas nws yuav tsum tau siv rau kev yuav khoom muaj txiaj ntsig zoo cryptographic tokens, rov tsim cov ntawv thov, xa tawm cov txheej txheem tseem ceeb rau pej xeem, thiab yog "nce ntawm nws ob txhais ceg." Ntawm qhov tod tes, cov neeg siv tau lees paub qhov kev ntseeg tau ntawm tus password ib zaug, thiab ntawm qhov tod tes, muaj kev tawm tsam ntawm NIST. Yog li ntawd, tus qauv tau softened, thiab tus naj npawb ntawm hacks thiab tub sab ntawm passwords (thiab nyiaj los ntawm banking applications) nce sharply. Tab sis kev lag luam tsis tas yuav plhaub tawm nyiaj.
Txij thaum ntawd los, qhov tsis muaj zog ntawm SMS OTP tau pom meej dua. Fraudsters siv ntau txoj hauv kev los cuam tshuam SMS lus:
- SIM daim npav dual. Attackers tsim ib daim qauv ntawm SIM (nrog kev pab ntawm cov neeg ua haujlwm hauv xov tooj ntawm tes, lossis nws tus kheej, siv software tshwj xeeb thiab kho vajtse). Yog li ntawd, tus neeg tawm tsam tau txais SMS nrog tus password ib zaug. Nyob rau hauv ib rooj plaub tshwj xeeb, hackers txawm muaj peev xwm los cuam tshuam AT&T account ntawm cryptocurrency investor Michael Turpin, thiab nyiag ze li $ 24 lab hauv cryptocurrencies. Raws li qhov tshwm sim, Turpin tau hais tias AT&T tau ua txhaum vim qhov ntsuas tsis muaj zog uas ua rau SIM daim npav rho tawm.
Zoo kawg nkaus logic. Yog li nws tsuas yog AT&T qhov txhaum? Tsis yog, nws yog qhov tsis ntseeg qhov ua txhaum ntawm tus neeg teb xov tooj ntawm tes uas cov neeg muag khoom hauv khw muag khoom sib txuas lus tau muab daim npav SIM dua. Yuav ua li cas hais txog qhov kev sib pauv hloov pauv kev lees paub qhov system? Vim li cas lawv ho tsis siv cov cryptographic tokens muaj zog? Puas yog kev txaj muag los siv nyiaj rau kev siv? Tsis yog Michael nws tus kheej los liam? Vim li cas ho tsis nws hais kom hloov qhov kev lees paub qhov tseeb lossis tsuas yog siv cov kev sib pauv uas siv ob qhov kev lees paub tseeb raws li cryptographic tokens?
Kev taw qhia txog cov txheej txheem kev lees paub tseeb tiag tiag yog ncua sijhawm raws li cov neeg siv pom qhov tsis txaus ntseeg ua ntej nyiag nkas, thiab tom qab ntawd lawv liam lawv cov teeb meem rau leej twg thiab lwm yam uas tsis yog kev siv thev naus laus zis thaum ub thiab "tawg" authentication.
- Malware. Ib qho ntawm cov haujlwm ntxov tshaj plaws ntawm mobile malware yog cuam tshuam thiab xa cov ntawv xa mus rau cov neeg tawm tsam. Tsis tas li ntawd, txiv neej-hauv-tus-browser thiab txiv neej-hauv-tus-nruab nrab tawm tsam tuaj yeem cuam tshuam cov passwords ib zaug thaum lawv nkag mus rau ntawm cov kab mob laptops lossis cov khoom siv desktop.
Thaum daim ntawv thov Sberbank ntawm koj lub xov tooj smartphone blinks lub cim ntsuab hauv qhov xwm txheej bar, nws tseem saib rau "malware" ntawm koj lub xov tooj. Lub hom phiaj ntawm qhov kev tshwm sim no yog tig qhov tsis ntseeg kev ua haujlwm ib puag ncig ntawm lub xov tooj smartphone ib txwm ua, tsawg kawg hauv qee txoj kev, ib qho kev ntseeg siab.
Los ntawm txoj kev, lub smartphone, raws li ib tug kiag li untrusted ntaus ntawv nyob rau hauv uas txhua yam yuav ua tau, yog lwm vim li cas siv nws rau authentication. hardware tokens xwb, uas muaj kev tiv thaiv thiab tsis muaj kab mob thiab Trojans. - Social engineering. Thaum cov scammers paub tias tus neeg raug tsim txom muaj OTPs qhib los ntawm SMS, lawv tuaj yeem tiv tauj tus neeg raug tsim txom ncaj qha, ua ib lub koom haum ntseeg siab xws li lawv lub txhab nyiaj lossis cov koom haum qiv nyiaj, kom ntxias tus neeg raug tsim txom los muab cov cai uas lawv nyuam qhuav tau txais.
Kuv tus kheej tau ntsib qhov kev dag ntxias no ntau zaus, piv txwv li, thaum sim muag ib yam dab tsi ntawm kev lag luam nrov hauv online. Kuv tus kheej ua kev lom zem ntawm tus neeg dag ntxias uas sim dag kuv kom kuv lub siab lub ntsiab lus. Tab sis alas, kuv tsis tu ncua nyeem hauv xov xwm li cas tseem lwm tus neeg raug tsim txom ntawm scammers "tsis xav," muab cov lus pom zoo thiab poob nyiaj ntau. Thiab tag nrho cov no yog vim hais tias lub txhab nyiaj tsuas yog tsis xav nrog kev siv ntawm cryptographic tokens hauv nws daim ntawv thov. Tom qab tag nrho, yog tias muaj qee yam tshwm sim, cov neeg siv khoom "muaj lawv tus kheej rau txim."
Txawm hais tias lwm txoj hauv kev xa OTP tuaj yeem txo qee qhov tsis zoo hauv txoj kev lees paub no, lwm qhov tsis zoo tseem nyob. Standalone code tiam daim ntawv thov yog qhov kev tiv thaiv zoo tshaj plaws tiv thaiv eavesdropping, txij li txawm tias malware tsis tuaj yeem cuam tshuam ncaj qha nrog lub tshuab hluav taws xob code (tiag tiag? Puas yog tus sau tsab ntawv ceeb toom tsis nco qab txog kev tswj chaw taws teeb?), tab sis OTPs tseem tuaj yeem cuam tshuam thaum nkag mus rau hauv browser (piv txwv li siv keylogger), los ntawm ib tug hacked mobile thov; thiab tseem tuaj yeem tau txais ncaj qha los ntawm tus neeg siv siv social engineering.
Siv ntau yam cuab yeej ntsuas kev pheej hmoo xws li kev lees paub cov cuab yeej (nrhiav kom tau kev sim ua kev hloov pauv ntawm cov khoom siv uas tsis yog tus neeg siv raws cai), geolocation (tus neeg siv uas nyuam qhuav nyob hauv Moscow sim ua haujlwm los ntawm Novosibirsk) thiab kev txheeb xyuas tus cwj pwm yog qhov tseem ceeb rau kev daws qhov tsis zoo, tab sis tsis muaj kev daws teeb meem yog panacea. Rau txhua qhov xwm txheej thiab hom ntaub ntawv, nws yog ib qho tsim nyog yuav tsum tau ua tib zoo ntsuas qhov kev pheej hmoo thiab xaiv qhov kev siv tshuab authentication yuav tsum tau siv.
Tsis muaj kev lees paub qhov kev daws teeb meem yog panacea
Daim duab 2. Cov lus xaiv kev lees paub
| Kev Txhaum Cai | Qhov xwm txheej | piav qhia | Tseem ceeb vulnerabilities |
| Tus password lossis PIN | Kev paub | Tus nqi ruaj khov, uas tuaj yeem suav nrog cov tsiaj ntawv, lej thiab ntau tus cim | Nws tuaj yeem cuam tshuam, spied ntawm, nyiag, khaws lossis hacked |
| Kev paub raws li kev lees paub | Kev paub | Nug cov lus teb uas tsuas yog tus neeg siv kev cai lij choj tuaj yeem paub | tuaj yeem cuam tshuam, khaws, tau los ntawm kev siv social engineering |
| Kho vajtse OTP () | Muaj | Ib lub cuab yeej tshwj xeeb uas tsim cov passwords ib zaug | Cov cai yuav raug cuam tshuam thiab rov ua dua, lossis lub cuab yeej yuav raug nyiag |
| Software OTPs | Muaj | Ib daim ntawv thov (mobile, nkag tau los ntawm browser, lossis xa cov lej los ntawm e-mail) uas tsim cov passwords ib zaug | Cov cai yuav raug cuam tshuam thiab rov ua dua, lossis lub cuab yeej yuav raug nyiag |
| SMS OTP | Muaj | Ib lub sij hawm tus password xa los ntawm SMS ntawv | Cov lej yuav raug cuam tshuam thiab rov ua dua, lossis lub xov tooj smartphone lossis SIM yuav raug nyiag, lossis SIM daim npav yuav raug muab luam tawm |
| Smart cards () | Muaj | Ib daim npav uas muaj cov cryptographic nti thiab lub cim xeeb ruaj ntseg uas siv cov txheej txheem tseem ceeb rau pej xeem rau kev lees paub | Tej zaum yuav raug nyiag lub cev (tab sis tus neeg tawm tsam yuav tsis tuaj yeem siv lub cuab yeej yam tsis paub tus lej PIN; nyob rau hauv cov ntaub ntawv ntawm ntau yam tsis raug kev sim, lub cuab yeej yuav raug thaiv) |
| Cov yuam sij ruaj ntseg - tokens (, ) | Muaj | Ib lub cuab yeej USB uas muaj cov cim cryptographic thiab kev ruaj ntseg tseem ceeb nco uas siv pej xeem cov txheej txheem tseem ceeb rau kev lees paub | Muaj peev xwm raug nyiag lub cev (tab sis tus neeg tawm tsam yuav tsis tuaj yeem siv lub cuab yeej yam tsis paub tus lej PIN; yog tias muaj ntau qhov kev sim nkag tsis raug, lub cuab yeej yuav raug thaiv) |
| Txuas mus rau ib lub cuab yeej | Muaj | Cov txheej txheem uas tsim ib qhov profile, feem ntau siv JavaScript, lossis siv cov cim xws li ncuav qab zib thiab Flash Shared Objects kom ntseeg tau tias siv cov cuab yeej tshwj xeeb | Tokens tuaj yeem raug nyiag (tshwj xeeb), thiab cov yam ntxwv ntawm cov cuab yeej raug cai tuaj yeem coj los ntawm tus neeg tawm tsam ntawm nws lub cuab yeej |
| Cwj pwm | Inherence | Txheeb xyuas seb tus neeg siv cuam tshuam li cas nrog lub cuab yeej lossis qhov program | Kev coj cwj pwm tuaj yeem ua tau |
| Cov ntiv tes | Inherence | Cov ntiv tes khaws cia yog muab piv nrog cov uas tau ntes optically lossis hluav taws xob | Cov duab tuaj yeem raug nyiag thiab siv rau kev lees paub |
| Qhov muag scan | Inherence | Sib piv cov yam ntxwv ntawm qhov muag, xws li cov qauv iris, nrog cov tshuaj kho qhov muag tshiab | Cov duab tuaj yeem raug nyiag thiab siv rau kev lees paub |
| Lub ntsej muag paub | Inherence | Cov yam ntxwv ntawm lub ntsej muag raug muab piv nrog cov tshuaj kho qhov muag tshiab | Cov duab tuaj yeem raug nyiag thiab siv rau kev lees paub |
| Lub suab paub | Inherence | Cov yam ntxwv ntawm cov qauv kaw suab tau muab piv nrog cov qauv tshiab | Cov ntaub ntawv tuaj yeem raug nyiag thiab siv rau kev lees paub, lossis emulated |
Hauv qhov thib ob ntawm kev tshaj tawm, cov khoom qab tshaj plaws tos peb - cov lej thiab qhov tseeb, uas cov lus xaus thiab cov lus pom zoo tau muab hauv thawj ntu yog raws. Authentication nyob rau hauv cov neeg siv daim ntawv thov thiab nyob rau hauv lub tuam txhab systems yuav tham sib txawv.
Pom koj sai sai!
Tau qhov twg los: www.hab.com